CVE Catalog

CVE-2026-40190

MediumCVSS 5.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.31%

23th percentile - higher than 23% of all known CVEs

Summary

In the LangSmith JavaScript/TypeScript SDK (langsmith) prior to version 0.5.18, an incomplete prototype pollution fix was found. The baseAssignValue() function only guards against the __proto__ key but fails to prevent traversal via constructor.prototype, allowing an attacker who controls keys in data processed by the createAnonymizer() API to pollute Object.prototype and affect all objects in the Node.js process.

Risk Assessment

An attacker can remotely modify the prototype of objects in a Node.js application, potentially leading to unauthorized data access, privilege escalation, or arbitrary code execution within the application context.

Recommendation

Immediately update the langsmith library to version 0.5.18 or later. If an update is not possible, restrict access to the createAnonymizer() API and thoroughly validate all input data.

Original NVD description (English source)

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.5.18, the LangSmith JavaScript/TypeScript SDK (langsmith) contains an incomplete prototype pollution fix in its internally vendored lodash set() utility. The baseAssignValue() function only guards against the __proto__ key, but fails to prevent traversal via constructor.prototype. This allows an attacker who controls keys in data processed by the createAnonymizer() API to pollute Object.prototype, affecting all objects in the Node.js process. This vulnerability is fixed in 0.5.18.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS